Idaho county pays ransom to release encrypted servers

BLACKFOOT — Bingham County ended up paying more than $3,000 in ransom after it was unable to fully recover from an attack on county servers.

The ransomware attack was initially discovered Feb. 15, when county dispatchers were unable to access systems crucial to emergency responders.

Information technology personnel were called in at 4 a.m. and quickly learned hackers had delivered malware to the county servers that encrypted the data and made the computer systems inaccessible to county employees.

“They were scanning a range of IP addresses, poking at each one looking for an open port,” Computer Arts contractor Adam Michaelson told EastIdahoNews.com. “Once they found an open port, they used a program to brute force login in passwords.”

Computer Arts is a local computer company that provides IT support to the county.

Michaelson explained that brute forcing passwords is done by using a program that bombards logins with every possible variation of numbers and characters until it finds one that works.

“They kept doing that until they were able to get administration rights,” Michaelson said. “When they got those rights, they dumped their program on us and encrypted everything.”

The program deposited a web link in every folder on the county servers. The link led to the ransom note, which detailed the attack and demanded $28,000 delivered in bitcoin for a password to decrypt the county servers.

Bingham County Commissioner Whitney Manwaring said every department in the county was affected in some way. Most departments had to handwrite documents as official records.

At the time, county officials didn’t believe it was necessary to pay the ransom as they had multiple backup systems in place.

Nearly all the county servers were backed up, and that information was recovered. But two servers containing geographic information were still infected, as well as a server attached to the Bingham County Prosecutor’s Office.

Faced with the prospect of not recovering the information, the county chose to pay the hackers 3 bitcoins, a price that varies daily but is around $3,500. The ransom was determined to be cheaper to taxpayers than buying new servers.

After paying the ransom, IT personnel were provided a digital key that allowed them to remove the encrypted software.

“I’d say we are at about 90 percent back to normal,” Computer Arts contractor Chris Rhoads said. “We basically had to completely rebuild our servers and the removing the encryption will take days to complete due to the massive amount of information affected.”

Rhoads anticipates future problems, as many programs are only used a few times a year.

“There will be issues that we don’t even know about yet, but we will fix those problems quickly as the arise,” Rhoads said.

The IT team working in Bingham County says the cost of repairing the servers is nearing the $100,000 mark, and it could take until 2018 to be 100 percent back to normal.

New password protocols have been put into place and additional firewalls have been added to prevent this kind of attack from happening again.

“You never want to pay a ransom — if you do you get tagged as a potential future victim,” Michaelson said. “If you have no choice but to pay the ransom, you had better be sure they can’t come back and get you again. I’d say we have done that here.”

The actual source of the ransomware is unknown, but servers involved in the attack were traced to the Netherlands, Germany and Russia, according to Bingham County Information Technology Manager Tracy Reifschneider.

Michaelson said the hackers left a very clear and obvious trail.

“It very clear to us that they took no information from our servers — they only dropped the encryption program on us,” Michaelson said. “Other hacks around the country have stolen thousands of Social Security numbers with names and birthdays, but that wasn’t the case here.”